USG FLEX 200H - IPSEC Site To Site VPN - FIRMWARE BUG V1.35(ABWV.2)

Options
SunglassesGuy
SunglassesGuy Posts: 6 image  Freshman Member
First Comment Fourth Anniversary
edited April 7 in USG FLEX H Series

Multiple VPN connections can't be established when there are two distinct networks on the same Flex 200. For example, you have a port with IP subnet address 192.168.1.0/24 and another port with subnet 192.168.10.0/24. If you attempt to create two distinct IPSEC Site to Site VPN connections it will fail. In this example, there are two offices and two Flex 200s. One office has the two subnets mentioned above, and the other office needs to connect to both subnets via VPN using the same Flex 200.

The firmware is getting confused on which VPN configuration to use for the Pre-Shared Key. The work around for this is to use the same Pre-Shared key for each VPN connection.

This one was a doozy. I was working on and off on this issue when I had time and simply could not get a VPN connection. Something so simple was impossible! Finally deduced it to the Pre-Shared key issue.

I'm not sure if this is the correct place to report a bug. Please send where needed.

All Replies

  • Zyxel_Tina
    Zyxel_Tina Posts: 729 image  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch 100 Answers 500 Comments

    Hi @SunglassesGuy,

    Regarding the issue you’re encountering, could you please update your USG FLEX 200H to the latest firmware version, v1.37(ABWV.1)? This behavior may have been addressed in subsequent releases, as we've implemented bug fixes and enhancements for VPN functionality.

    After upgrading to the latest firmware, please reconfigure your VPN settings and test again. If the issue persists, kindly provide the following information via private message so we can investigate further:

    • Configuration file
    • Any error messages shown on both firewalls when the VPN connection fails (screenshots are welcome)

    This will help us identify the cause and investigate more effectively. Thank you for your cooperation!

    Zyxel Tina

  • PeterUK
    PeterUK Posts: 4,452 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary

    There is a confusing problem with the FLEX H and IKEv1 support for Multiple VPN support that I list here

    IKEv1 and IKEv2 many tunnels issues — Zyxel Community

    In short from what I remember is with IKEv1 on the FLEX H side being the responder only even if you have a different phase 1 or local or peer ID you can only have one tunnel but the FLEX H being the nailed up side with different phase 1 or local or peer ID you can have many tunnels the IKEv2 does not have this problem.

  • SunglassesGuy
    SunglassesGuy Posts: 6 image  Freshman Member
    First Comment Fourth Anniversary
    edited April 8

    I upgraded to v1.37(ABWV.1) this morning and it seems to have made the problem worse. Unfortunately I can not test further, because the utility company shut power off in the areas for repairs. Will circle back when power is restored. I should note, this same Flex 200 which is having problems, has no problem when it is connected to a Flex 500 or a ZyWall 110 in the exact same configuration. The problem is only exhibited when two Flex 200's attempt IPSEC VPN in the configuration described above.

    I suspect it has something to do with the way Gateways are configured. The old method, from the ZyWall series and also in the Flex 500, the Gateways are on a separate page. The Flex 200 changed to configuration page, where the gateway is now incorporated on the same config page.

    Looking at the logs, it almost looks like one connection kicks the other off. When it sees the 2nd connection attempt to connect, it also springs to action and attempts to connect, and kicks the 2nd one off.

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)